b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   The Applications Development Function\xe2\x80\x99s\n                    Quality Assurance Program Office Can\n                      Make Its Processes More Effective\n\n\n\n                                        February 17, 2011\n\n                              Reference Number: 2011-20-007\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                               HIGHLIGHTS\n\n\nTHE APPLICATIONS DEVELOPMENT                       the Applications Development function\xe2\x80\x99s\nFUNCTION\xe2\x80\x99S QUALITY ASSURANCE                       products and services. It employs qualified\nPROGRAM OFFICE CAN MAKE ITS                        specialists to perform its audits and provides the\nPROCESSES MORE EFFECTIVE                           Applications Development function feedback\n                                                   about its organizational practices.\n                                                   Currently, the Applications Development\nHighlights                                         function is the only activity in the MITS\n                                                   organization with a Quality Assurance Program\nFinal Report issued on February 17, 2011           Office. Transitioning to a MITS-wide Quality\n                                                   Assurance Program Office will help the MITS\nHighlights of Reference Number: 2011-20-007        organization achieve its goal of reaching\nto the Internal Revenue Service Chief              CMMI-Development maturity level 3.\nTechnology Officer.\n                                                   The products and documents created generally\nIMPACT ON TAXPAYERS                                met the Quality Assurance Program Office\n                                                   guidelines. However, the guidelines do not\nThe mission of the Applications Development        require approval signatures and dates on the\nfunction\xe2\x80\x99s Quality Assurance Program Office is     products by the appropriate Applications\nto assure product compliance, drive process        Development function managers. Also, the\nimprovement, and promote quality awareness.        Quality Assurance Program Office did not\nEnsuring the quality of development activities     effectively maintain all necessary documentary\nhelps the Modernization and Information            evidence to assess and support the reported\nTechnology Services (MITS) organization deliver    audit results.\nservices and solutions that drive effective tax\nadministration to ensure public confidence.        WHAT TIGTA RECOMMENDED\nWHY TIGTA DID THE AUDIT                            TIGTA recommended that the Chief Technology\n                                                   Officer: 1) expand the scope of the Quality\nThis audit was initiated at the request of the     Assurance Program Office to provide coverage\nMITS organization. The overall objective was to    across the MITS organization; 2) implement\ndetermine whether the Applications                 procedures to officially approve its products and\nDevelopment function\xe2\x80\x99s Quality Assurance           guidance documents; 3) improve the guidance\nProgram Office ensures development projects        to include requirements that assure an\nimplement a coordinated set of activities that     informative, accurate, and appropriate\nconform to organizational policies, processes,     perspective in reporting; and 4) further develop\nand procedures that meet the standards of the      the peer review guidance to help ensure audit\nSoftware Engineering Institute\xe2\x80\x99s Capability        reports are supported by sufficient, competent,\nMaturity Model Integration (CMMI) -                and relevant evidence.\nDevelopment maturity level 2.\n                                                   In its response to the report, the IRS agreed with\nWHAT TIGTA FOUND                                   TIGTA\xe2\x80\x99s recommendations. The IRS plans to:\nThe Quality Assurance Program Office generally     1) evaluate expanding the scope of the Quality\nmeets the CMMI-Development maturity level 2        Assurance Program Office; 2) modify its\nrequirements. The Applications Development         reporting procedures and templates to include\nfunction updated the role of the Quality           approvals; 3) strengthen the language relative to\nAssurance Program Office in April 2007. The        the reporting of the audit findings and ensure,\nupdate resulted in a directive that established    when possible, that the audit\xe2\x80\x99s results are input\nauthority and responsibility for the performance   into the database; and 4) strengthen the\nof quality assurance activities across the         language relative to the peer review process and\nApplications Development function.                 analyze the checklist to ensure it includes all\n                                                   appropriate issues for review.\nThe Quality Assurance Program Office\nimplemented a comprehensive plan to assess\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          February 17, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Applications Development Function\xe2\x80\x99s\n                             Quality Assurance Program Office Can Make Its Processes More\n                             Effective (Audit # 201020026)\n\n This report presents the results of our review of the Applications Development function\xe2\x80\x99s\n Quality Assurance Program Office activities. The overall objective of this review was to\n determine whether the Applications Development function\xe2\x80\x99s Quality Assurance Program Office\n ensures development projects implement a coordinated set of activities that conform to\n organizational policies, processes, and procedures that meet the standards of the Software\n Engineering Institute\xe2\x80\x99s Capability Maturity Model Integration - Development maturity level 2.\n This review was requested by the Modernization and Information Technology Services\n organization and addresses the major management challenge of Modernization of the Internal\n Revenue Service. Management\xe2\x80\x99s complete response to the draft report is included as\n Appendix VI.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or Alan\n Duncan, Assistant Inspector General for Audit (Security and Information Technology Services),\n at (202) 622-5894.\n\x0c                         The Applications Development Function\xe2\x80\x99s Quality Assurance\n                           Program Office Can Make Its Processes More Effective\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Quality Assurance Program Office Generally Meets\n          the Maturity Level 2 Requirements .............................................................. Page 3\n                    Recommendation 1:........................................................ Page 6\n\n          The Quality Assurance Program Office Should Ensure\n          All Products Include an Approval Signature ................................................ Page 6\n                    Recommendation 2:........................................................ Page 7\n\n          The Quality Assurance Program Office Audit\n          Documentation and Procedures Need Improvement .................................... Page 7\n                    Recommendation 3:........................................................ Page 10\n\n                    Recommendation 4:........................................................ Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 16\n          Appendix IV \xe2\x80\x93 Quality Assurance Program Office Audits Reviewed ......... Page 17\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 23\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 24\n\x0c        The Applications Development Function\xe2\x80\x99s Quality Assurance\n          Program Office Can Make Its Processes More Effective\n\n\n\n\n                      Abbreviations\n\nCMMI            Capability Maturity Model Integration\nIRS             Internal Revenue Service\nMITS            Modernization and Information Technology Services\nTIGTA           Treasury Inspector General for Tax Administration\n\x0c                       The Applications Development Function\xe2\x80\x99s Quality Assurance\n                         Program Office Can Make Its Processes More Effective\n\n\n\n\n                                              Background\n\nThe Applications Development function in the Modernization and Information Technology\nServices (MITS) organization collaborates with the other Internal Revenue Service (IRS)\nbusiness functions to provide integrated computer software solutions that align with the business\npriorities of the IRS. Specific focus areas for the Applications Development function include\ndeveloping modernized applications, delivering applications to support the processing of income\ntax returns, and maintaining existing technology systems. The Quality Assurance Program\nOffice assists the Applications Development function meet its mission by assuring product\ncompliance, driving process improvement, and promoting quality awareness. To fulfill this role,\nthe Quality Assurance Program Office provides the MITS organization\xe2\x80\x99s senior management\nwith assessments of the products being built and the services being provided. These assessments\ncommunicate whether development activities conform to applicable contractual, program, and\nproject requirements and whether the development activities use repeatable, standardized, and\neffective processes.\nThe objectives of the Quality Assurance Program Office are to:\n      \xe2\x80\xa2    Assess the Applications Development function\xe2\x80\x99s portfolio each year to objectively\n           evaluate performance against applicable standards and requirements.\n      \xe2\x80\xa2    Institutionalize the Enterprise Life Cycle1 and promote standardization of organizational\n           processes and procedures.\n      \xe2\x80\xa2    Enable project quality principles and practices through mentoring, coaching, and training.\n      \xe2\x80\xa2    Produce performance measures that identify progress, variances, trends, and opportunities\n           for improvement.\n      \xe2\x80\xa2    Ensure continuous process improvement using industry standards to provide\n           cost-effective, high-quality products and solutions.\nThe Quality Assurance Program Office is part of the Applications Development function\xe2\x80\x99s effort\nin leading a MITS organization-wide initiative to use the Software Engineering Institute\xe2\x80\x99s\nCapability Maturity Model Integration (CMMI). The CMMI consists of best practices that\naddress development and maintenance activities covering the product development life cycle\nfrom conception through delivery and maintenance. Specifically, the MITS organization is\nplanning to use the CMMI-Development model to help improve its development and\nmaintenance processes for both products and services.\n\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                               Page 1\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\nAll CMMI models reflect maturity levels in their design and content. A maturity level consists\nof related specific and generic practices for a predefined set of process areas that improve the\norganization\xe2\x80\x99s overall performance. The MITS organization has set a target for achieving\nmaturity level 2 using the CMMI-Development model by January 2011 and level 3 by\nJune 2012.\n   \xe2\x80\xa2   At maturity level 2, the projects of the organization have ensured that processes are\n       planned and executed in accordance with policy; projects employ skilled people who\n       have adequate resources to produce controlled outputs; projects involve relevant\n       stakeholders; projects are monitored, controlled, and reviewed; and projects are evaluated\n       for adherence to their process descriptions.\n   \xe2\x80\xa2   At maturity level 3, processes are well characterized and understood, and are described in\n       standards, procedures, tools, and methods. The organization\xe2\x80\x99s set of standard processes,\n       which is the basis for maturity level 3, is established and improved over time. These\n       standard processes are used to establish consistency across the organization.\nThe CMMI defines quality assurance as a planned and\nsystematic means for assuring management that the\ndefined standards, practices, procedures, and methods of         Process and product quality\nthe process are applied. Process and product quality         assurance provides the project staff\n                                                                and all levels of managers with\nassurance is an aspect of the CMMI that provides                appropriate visibility into, and\nspecific practices for objectively evaluating performed        feedback on, the processes and\nprocesses, work products, and services against the                associated work products\napplicable process descriptions, standards, and               throughout the life of the project.\nprocedures, and ensuring that any issues arising from\nthese reviews are addressed.\nThis review was performed at the MITS organization facilities in New Carrollton, Maryland,\nduring the period June through September 2010. This audit was performed at the request of the\nMITS organization. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                           Page 2\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\n\n                                Results of Review\n\nThe Quality Assurance Program Office Generally Meets the Maturity\nLevel 2 Requirements\nWe analyzed the Internal Revenue Manual and found that it included the CMMI-Development\nmaturity level 2 quality assurance requirements. Further, the Quality Assurance Program\nOffice\xe2\x80\x99s processes, guidance, and procedures generally meet the CMMI maturity level 2\nrequirements for quality assurance.\nThe Applications Development function updated the role of the Quality Assurance Program\nOffice in April 2007. The update resulted in a directive that established authority and\nresponsibility for the performance of quality assurance activities across the Applications\nDevelopment function.\n\nGuidance documents were developed for auditing project development activities\nThe Quality Assurance Program Office has made significant progress in developing guidance for\nits audit activities. Since April 2007, it has developed and issued guidance documentation that\nincludes templates, checklists, processes, procedures, handbooks, and training modules. The\nguidance developed covers all aspects of the quality assurance activities for use by the quality\nspecialists. The topics the guidance covers include auditing, status reporting, peer reviews,\nmetrics, and lessons learned. By developing this guidance, the Quality Assurance Program\nOffice has provided the quality specialists with tools to guide them in auditing the Applications\nDevelopment function\xe2\x80\x99s project development activities.\n\nA comprehensive plan was implemented to assess the products and services\nTo implement the directive, the Quality Assurance Program Office develops annual audit plans.\nThe annual audit plans describe the goals for coverage of the Applications Development\nfunction\xe2\x80\x99s five business domains. Table 1 presents these domains and the eight process areas\nplanned for review by the Quality Assurance Program Office during Fiscal Year 2010.\n\n\n\n\n                                                                                          Page 3\n\x0c                   The Applications Development Function\xe2\x80\x99s Quality Assurance\n                     Program Office Can Make Its Processes More Effective\n\n\n\n    Table 1: Applications Development Function Domains and Process Areas\n\n               Business Domain                                        Process Area\n   Compliance                                         Project Planning\n   Corporate Data                                     Project Monitoring and Control\n   Customer Service                                   Configuration Management\n   Internal Management                                Requirements Management\n   Submission Processing                              Measurement and Analysis\n                                                      Software Development\n                                                      Supplier Agreement Management\n                                                      Testing\n\nSource: Internal Revenue Manual and the Applications Development function\xe2\x80\x99s Quality Assurance Program\nOffice Fiscal Year 2010 Program Plan.\n\nThe Quality Assurance Program Office met the annual audit plan goal in Fiscal Year 2008 by\nperforming 65 audits and in Fiscal Year 2009 by performing 79 audits. These audits included\nrepresentative coverage of the Applications Development function\xe2\x80\x99s business domains and\nprocess areas.\nThe audit reports included issues facing the domains and projects in the Applications\nDevelopment function. These issues included project planning, project monitoring and control,\nconfiguration management, risk management and contingency management plans, requirements\nmanagement, and security issues. With this information, the Applications Development function\ncan focus on improvements the Quality Assurance Program Office audit reports identified.\n\nQualified specialists were employed to perform the audits\nThe Quality Assurance Program Office uses quality specialists to conduct audits of the\nApplications Development function\xe2\x80\x99s portfolio to determine the level of compliance with the\norganizational standards, processes, and procedures. The quality specialists have responsibilities\nfor implementing best practices that are compliant with the CMMI-Development in order to\nachieve maturity levels 2 and 3.\nThe quality specialist\xe2\x80\x99s qualifications are outlined in a set of requirements for the position\xe2\x80\x99s\nknowledge, skills, and abilities. These requirements include knowledge of program and project\nmanagement concepts; experience in developing and performing audits/monitoring software\nengineering life cycle processes; experience in performing quality assurance activities; the ability\n                                                                                                   Page 4\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\nto communicate effectively, both verbally and in writing; and the ability to effectively interact in\ngroups. The quality specialists have also received CMMI-Development training to supplement\ntheir knowledge, skills, and abilities.\nThe quality specialists make recommendations to help improve the organization\xe2\x80\x99s project\nmanagement. These recommendations relate to project management activities such as\nconfiguration management, requirements management, and project scheduling.\n\nFeedback about organization practices is provided\nAn element of the CMMI-Development Process and Product Quality Assurance process involves\nproviding feedback to Applications Development function project staff and managers on the\nresults of quality assurance activities. The Quality Assurance Program Office implemented this\nguidance with its Status Reporting Procedure. The Procedure directs the Office to collect,\nanalyze, interpret, and report on measures derived from audits conducted. These measures\nprovide insight on the organization\xe2\x80\x99s ability to comply with Enterprise Life Cycle requirements.\nThey also help to identify skill gaps and organization processes that may need modifications for\nproper implementation across the Applications Development function\xe2\x80\x99s portfolio. Measurements\nare reported quarterly and at yearend to Applications Development function\xe2\x80\x99s Domain Directors\nand the Program Management Office.\n\nExpanding the Quality Assurance Program to cover all MITS organizations will\ncontribute to achieving a higher maturity level\nThe Applications Development function\xe2\x80\x99s Quality Assurance Program Office structure is\nadequate to its goals. The CMMI-Development provides the following guidance on the\nexpectations for a quality assurance organization at different maturity levels.\n   \xe2\x80\xa2   To meet CMMI-Development maturity level 2 requirements, a Process and Product\n       Quality Assurance support process must be established to objectively evaluate performed\n       processes, work products, and services against the applicable process descriptions,\n       standards, and procedures and ensure that any issues arising from these reviews are\n       addressed.\n   \xe2\x80\xa2   To meet CMMI-Development maturity level 3 requirements, the Process and Product\n       Quality Assurance organization must ensure processes are well characterized and\n       understood, and are described in standards, procedures, tools, and methods. These\n       standard processes are used to establish consistency across the organization. The CMMI\n       defines an organization as an administrative structure in which people collectively\n       manage one or more projects as a whole and whose projects share a senior manager and\n       operate under the same policies.\nCurrently, the Applications Development function is the only activity in the MITS organization\nwith a Quality Assurance Program Office. Although the Quality Assurance Program Office is\n\n                                                                                             Page 5\n\x0c                    The Applications Development Function\xe2\x80\x99s Quality Assurance\n                      Program Office Can Make Its Processes More Effective\n\n\n\nassigned to and reports to the Applications Development function, the scope of its audits\ninvolves other components of the MITS organization. For example, the Quality Assurance\nProgram Office has made assessments of configuration management and requirements\nmanagement which are in the Enterprise Services function\xe2\x80\x99s responsibilities.\nFor the MITS organization to reach its goal of achieving CMMI-Development maturity level 3,\nthe scope of the Quality Assurance Program Office must ensure processes are well characterized,\nunderstood, and described in standards, procedures, tools, and methods. These standard\nprocesses should be used to establish consistency across the MITS organization. Implementing\nthis scope would involve organizational changes for a Quality Assurance Program Office to have\nMITS-wide assessment and reporting responsibilities. This scope of responsibility would benefit\nthe MITS organization by enabling it to achieve consistency across the organization. In addition,\na MITS-wide Quality Assurance Program Office would prevent duplication of effort and extra\ncosts if other MITS organization components begin implementing Quality Assurance Program\nOffices.\n\nRecommendation\nRecommendation 1: As the Quality Assurance Program Office processes mature, the Chief\nTechnology Officer should consider establishing a separate quality assurance group to provide\ncoverage across the MITS organization. Once the development processes throughout the\norganization have matured and CMMI maturity level 3 is within sight, the MITS organization\nshould realign the quality assurance group to report to the Office of the Chief Technology\nOfficer.\n          Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The Chief\n          Technology Officer plans to evaluate the feasibility and timing of this recommendation,\n          in consideration of a variety of Information Technology factors, as the achievement of\n          CMMI maturity level 3 is within sight.\n\nThe Quality Assurance Program Office Should Ensure All Products\nInclude an Approval Signature\nThe Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment2 provide that internal control activities help ensure that management\xe2\x80\x99s directives are\ncarried out. Control activities are the policies, procedures, techniques, and mechanisms that\nenforce management\xe2\x80\x99s directives. Control activities occur at all levels and functions of the\nentity. They include a wide range of diverse activities such as approvals, authorizations,\nverifications, and the creation and maintenance of related records which provide evidence of\nexecution of these activities as well as appropriate documentation.\n\n2\n    GAO/AIMD-00-21.3.1, November 1999.\n                                                                                            Page 6\n\x0c                    The Applications Development Function\xe2\x80\x99s Quality Assurance\n                      Program Office Can Make Its Processes More Effective\n\n\n\nThe Quality Assurance Program Office develops products and documents to provide direction\nfor its program and to summarize results of its efforts. The products and documents include the\nannual audit plans, program guidance documents, audit reports, and Domain Director and\nProgram Management Office Director Reports. The Quality Assurance Program Office created\ndirectives and templates to help ensure these documents meet the needs of the program.\nThe products and documents created generally met the office guidelines. However, the\nguidelines do not require approval signatures and dates on the products by the Quality Assurance\nProgram Office Director, the Program Management Office Director, or the Assistant Chief\nInformation Officer for the Applications Development function. Dated signatures by the\nappropriate levels of management provide assurance that the products and guidance documents\nissued or implemented were properly reviewed and approved.\n\nRecommendation\nRecommendation 2: The Chief Technology Officer should require the Applications\nDevelopment function to implement procedures to officially approve the Quality Assurance\nProgram Office products and guidance documents including, but not limited to, the annual audit\nplans, program guidance documents, audit reports, and Domain Director and Program\nManagement Office Director Reports.\n        Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The\n        Applications Development function\xe2\x80\x99s Quality Assurance Program Office plans to modify\n        its reporting procedures and templates to include approvals related to its products and\n        guidance documentation.\n\nThe Quality Assurance Program Office Audit Documentation and\nProcedures Need Improvement\nTo assess the effectiveness of the Quality Assurance Program Office\xe2\x80\x99s evaluations of projects\nand processes, we reviewed a judgmental sample of 29 Quality Assurance Program Office audits\nconducted in Fiscal Years 2008 and 20093 to determine whether the results reported by the\nQuality Assurance Program Office were supported by adequate documentary evidence.\n\nDocumentary evidence to assess and support the reported audit results was not\neffectively maintained\nAlthough the Quality Assurance Program Office audit reports provide valuable feedback to the\nApplications Development function, the issues reported were not always supported with\n\n\n3\n  Appendix IV presents a summary of the Treasury Inspector General for Tax Administration (TIGTA) review\nresults for the 29 Quality Assurance Program Office audits sampled.\n                                                                                                      Page 7\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\nsufficient, relevant, and accessible evidence. The Quality Assurance Program Office uses an IRS\nelectronic network repository to maintain electronic files documenting the audit evidence. The\nApplications Development function\xe2\x80\x99s Quality Assurance Program Office Document\nManagement Procedure, dated March 30, 2007, provides instructions for audit evidence (audit\nnotifications, evaluation checklists, presentations, audit reports, and corrective action plans) to be\nfiled within the Quality Assurance Program Office electronic network repository.\nWe were informed that the required documentation missing from the repository was sometimes\nmaintained on the personal computers of the quality specialists who performed the audits. In\naddition, some audits were performed by contractor personnel who did not have access to the\nelectronic repository. This documentation was maintained in a separate hardcopy file and was\nnot always scanned for inclusion in the electronic network repository. In our review of 29 audits,\nwe identified:\n   \xe2\x80\xa2   19 audits that did not have all the supporting documentation filed in the Quality\n       Assurance Program Office repository; however, the documents were provided from the\n       quality specialists\xe2\x80\x99 personal computer files.\n   \xe2\x80\xa2   11 audits that were missing the Preliminary Audit Plan Notice and/or Opening\n       Presentation documentation.\n   \xe2\x80\xa2   4 audits that were missing the Audit Evaluation Checklist.\n   \xe2\x80\xa2   3 audits that were missing the Corrective Action Plan.\nAdequate maintenance of audit evidence in a centralized and accessible location will allow the\nQuality Assurance Program Office to effectively provide the necessary documentation to support\nthe audit results reported.\n\nProcedures to ensure the audit evidence was complete were not adequate or\nalways followed\nThe audit files did not always clearly support the findings reported or ensure resolution of the\nnoncompliance issues. In our review of the 29 audits, we found the following procedural issues.\nThe Audit Evaluation Checklist issues did not include references to the reports\xe2\x80\x99 noncompliance\nissues or reasons for not including the issues identified on the Audit Evaluation Checklist as\nreport findings. The absence of cross references to and from the audit documentation and the\nreport prevents a reviewer from making an adequate assessment of the accuracy of the audit\nreport. For example:\n   \xe2\x80\xa2   18 Audit Evaluation Checklists did not include explanations for noncompliant and/or\n       partially compliant issues and could not be easily referenced to noncompliance issues\n       presented in the audit report.\n\n\n                                                                                              Page 8\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\n   \xe2\x80\xa2   3 audits had inconsistent results reported between the checklist, audit report, and/or\n       Program Management Office Director Reports.\nThe Quality Assurance Program Office includes program reviews as part of its audit coverage.\nProgram review audits were initiated because the Applications Development function\xe2\x80\x99s domains\nreorganized their investment portfolios and aligned related projects in the same program. The\nprogram review includes audits of related projects within a specific program. The results of\nthese audits are summarized and presented as one report for the entire program.\nOur sample review of 29 audits included 3 program reviews. The official database for Quality\nAssurance Program Office audits did not include results for the program reviews or the reviews\nof the projects associated with the programs. Without detailed program review results, the\ndatabase does not provide a complete picture of the audit activities. Although noncompliance\nissues from the program reviews are not included in the aging reports for follow up by the\nQuality Assurance Program Office, according to the Chief, Quality Assurance Program Office,\nthese issues are monitored separately by the quality specialists.\nThe Quality Assurance Program Office reports noncompliance issues identified during an audit.\nThe project team is required to prepare a Corrective Action Plan detailing when each reported\nissue will be resolved. The Quality Assurance Program Office monitors the resolution of the\nreported noncompliance issues to ensure the Applications Development function\xe2\x80\x99s domains\ntimely implement their corrective actions as documented in their plans and then update the\ndatabase regarding the status of the resolution of the noncompliance issues. If a noncompliance\nissue is not timely resolved, it is escalated through the management chain for resolution.\nWe reviewed the status of the Corrective Action Plans prepared by the project teams to resolve\nthe reported noncompliance issues and determined if the issues were monitored and resolved\ntimely. Our review found:\n   \xe2\x80\xa2   16 audits did not provide explanations for overdue noncompliance issues, and the issues\n       were not escalated to ensure resolution.\n   \xe2\x80\xa2   8 audits with inaccurate database date entries for audit closing, audit report issue, planned\n       resolution, and/or noncompliance issue closed dates.\nAdequate procedures to provide guidance on maintaining complete and accurate audit evidence\nwill help ensure the Quality Assurance Program Office has sufficient support for its reports. In\naddition, taking adequate action to follow up on noncompliant project issues will allow the\nApplications Development function the opportunity to achieve product and service\nimprovements.\n\nThe peer review process was not complete or adequately documented\nThe peer review provides a control to help assure findings and conclusions in audit reports are\nfully supported by sufficient, competent, and relevant evidence. The Quality Assurance Program\n\n                                                                                             Page 9\n\x0c                  The Applications Development Function\xe2\x80\x99s Quality Assurance\n                    Program Office Can Make Its Processes More Effective\n\n\n\nOffice developed peer review guidance to help facilitate a thorough and consistent peer review\nprocess. Although the Quality Assurance Program Office initiated peer review activities, the\nprocess was not always thorough.\nWe analyzed the samples of 29 audit reports, 10 Domain Director Reports, and the Fiscal\nYears 2008 and 2009 annual Program Management Office Director Reports, to determine\nwhether the reports were subjected to a peer review before issuance. We reviewed the completed\npeer review comments to note any issues identified and whether all significant issues were\nresolved before report issuance. Our review found:\n   \xe2\x80\xa2   The Quality Assurance Program Office repository did not include peer review\n       documentation for any of the Quality Assurance Program Office\xe2\x80\x99s audit reports, Domain\n       Director Reports, and Program Management Office Director Reports.\n   \xe2\x80\xa2   After we requested the missing documentation, we received peer review documentation\n       for only 5 of the 29 audit reports, 3 of the 10 Domain Director Reports, and 1 of the 2\n       Program Management Office Director Reports.\n   \xe2\x80\xa2   The peer review documentation focused primarily on the report presentation\n       (format/punctuation/grammar) rather than determining whether the report issues were\n       supported with adequate documentary evidence.\n   \xe2\x80\xa2   There was no clear indication that the quality specialists addressed the peer review\n       comments prior to the issuance of the audit report.\n   \xe2\x80\xa2   The peer reviews did not address Audit Evaluation Checklist items that were inaccurately\n       presented or missing from the audit reports.\nBy ensuring an adequate peer review, the Quality Assurance Program Office audit, Domain\nDirector, and Program Management Office Director Reports will have greater assurance of being\ninformative, accurate, and appropriate in perspective.\n\nRecommendations\nRecommendation 3: The Chief Technology Officer should ensure the Quality Assurance\nProgram Office guidance includes requirements that: 1) quality specialists support all findings\nincluded in reports with available references to the documentation to support the report issues,\n2) all noncompliance issues are adequately monitored to resolution, and 3) the database\nrepository for Quality Assurance Program Office audits includes all audit results and corrective\naction dates.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The Quality\n       Assurance Program Office plans to strengthen the language relative to the reporting of\n       the audit findings to include a mapping of the checklists to the findings and the\n       monitoring of noncompliances. To the extent possible, the Quality Assurance Program\n                                                                                          Page 10\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\n       Office plans to ensure that the audit\xe2\x80\x99s results are input into the database. The IRS noted\n       that the database currently does not have the ability to capture program data. The Quality\n       Assurance Program Office plans to explore the acquisition of a more robust tool to\n       alleviate the issues described in item number three of this recommendation.\nRecommendation 4: The Chief Technology Officer should have the Quality Assurance\nProgram Office further develop the peer review guidance to ensure audit reports are supported by\nsufficient, competent, and relevant evidence. To help facilitate an adequate peer review, the\nQuality Assurance Program Office should analyze the peer review checklist to ensure it includes\nall appropriate issues for review and require its use in performing peer reviews.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The Quality\n       Assurance Program Office plans to strengthen the language relative to the peer review\n       process and analyze the checklist to ensure it includes all appropriate issues for review.\n\n\n\n\n                                                                                          Page 11\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective was to determine whether the Applications Development function\xe2\x80\x99s\nQuality Assurance Program Office ensures development projects implement a coordinated set of\nactivities that conform to organizational policies, processes, and procedures that meet the\nstandards of the Software Engineering Institute\xe2\x80\x99s CMMI - Development maturity level 2.\nWe assessed the adequacy of program documentation and data provided by the IRS. We\nsupported this work by interviewing Quality Assurance Program Office personnel. Specifically,\nwe:\nI.     Determined whether the Applications Development function\xe2\x80\x99s Quality Assurance\n       Program Office had effective program management processes to objectively identify and\n       evaluate projects and their related development work processes.\n       A. Reviewed the current organizational structure of the Quality Assurance Program\n          Office to determine if it is effective to provide independent evaluations of the\n          Applications Development function processes and projects.\n       B. Determined whether the Quality Assurance Program Office\xe2\x80\x99s audit selection criteria\n          and annual audit plan provide adequate review coverage to meet the goals and\n          objectives for performing evaluations of the investment portfolio.\n       C. Determined whether the Quality Assurance Program Office specialists have adequate\n          qualifications to perform the audits in compliance with the CMMI.\n       D. To obtain a general assessment of the adequacy of the Quality Assurance Program\n          Office audit activities, we selected a sample of Quality Assurance Program Office\n          Domain Director Reports to determine whether the audits performed were fairly\n          presented. Our review included a judgmentally selected sample of 10 of the 55\n          Domain Director Reports that were issued in Fiscal Years 2008 and 2009. Also, we\n          reviewed the Fiscal Years 2008 and 2009 annual Program Management Office\n          Director Reports. We determined whether the audits performed were fairly presented\n          in the reports and if peer reviews were conducted for the sample of Domain Director\n          Reports and the annual Program Management Office Director Reports. We used a\n          judgmental sample because we did not intend to project the results of this sample to\n          the population.\n\n\n\n\n                                                                                       Page 12\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\nII.    Determined whether the Quality Assurance Program Office has an effective process to\n       perform the responsibilities as required by the CMMI.\n       A. Reviewed the processes, guidance, and procedures implemented by the Quality\n          Assurance Program Office and determined whether they meet the requirements of the\n          CMMI-Development.\n       B. Determined whether the audit reports, Domain Director Reports, and the annual\n          Program Management Office Director Reports used to convey the results of the\n          evaluations of the processes and projects meet the requirements of the CMMI-\n          Development.\nIII.   Determined whether the project and process evaluations effectively identified and\n       reported noncompliance with processes and procedures and whether adequate corrective\n       actions were taken.\n       A. To obtain a general assessment of the adequacy of the Quality Assurance Program\n          Office audit activities, we selected a judgmental sample of Quality Assurance\n          Program Office audit files to determine whether the Quality Assurance Program\n          Office quality specialists obtained and documented adequate evidence to support the\n          observations reported. Our review included a judgmentally selected sample of\n          20 percent of the Quality Assurance Program Office audits conducted in Fiscal\n          Years 2008 and 2009. The sample of 29 audits included 13 of the 65 audits\n          completed in Fiscal Year 2008 and 16 of the 79 audits completed in Fiscal Year 2009.\n          We used a judgmental sample because we did not intend to project the results of this\n          sample to the population.\n       B. Determined whether each audit report was subjected to the Quality Assurance\n          Program Office\xe2\x80\x99s own peer review before issuance.\n       C. Determined whether all the noncompliance issues identified in the reports were or are\n          being monitored.\n       D. Determined if any audit reports issued with noncompliance issues were disagreed by\n          the auditee and whether the escalation procedures were followed to resolve the\n          disagreements.\n\n\n\n\n                                                                                        Page 13\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: CMMI-Development, the Enterprise Life\nCycle, and the Internal Revenue Manual. We supported this work by interviewing Applications\nDevelopment function executives and the Chief, Quality Assurance Program Office, and staff.\n\n\n\n\n                                                                                      Page 14\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nScott A. Macfarlane, Director\nEdward A. Neuwirth, Audit Manager\nMichael A. Garcia, Senior Auditor\nBeverly K. Tamanaha, Senior Auditor\nTina Wong, Senior Auditor\nLouis V. Zullo, Senior Auditor\nTuyet Nguyen, Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c                The Applications Development Function\xe2\x80\x99s Quality Assurance\n                  Program Office Can Make Its Processes More Effective\n\n\n\n                                                                        Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Modernization Program Management Office OS:CTO:MP\nDeputy Associate Chief Information Officer, Applications Development OS:CTO:AD\nDeputy Associate Chief Information Officer, Enterprise Services OS:CTO:ES\nDirector, Enterprise Systems Testing OS:CTO:AD:TAD\nDirector, Risk Management OS:CTO:SP:RM\nDirector, Strategy and Capital Planning OS:CTO:SP:S\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Associate Chief Information Officer, Applications Development OS:CTO:AD\n       Associate Chief Information Officer, Enterprise Services OS:CTO:ES\n       Director, Risk Management OS:CTO:SP:RM\n\n\n\n\n                                                                               Page 16\n\x0c                   The Applications Development Function\xe2\x80\x99s Quality Assurance\n                     Program Office Can Make Its Processes More Effective\n\n\n\n                                                                                               Appendix IV\n\n Quality Assurance Program Office Audits Reviewed\n\nThe following tables present the results of our review of 29 Quality Assurance Program Office\naudits from Fiscal Years 2008 and 2009. The review results presented below include the issues\nwe identified relating to deficiencies in capturing adequate documentation to support audit\nresults and appropriate application of procedural guidance in performing the audits.\n                                  Table 1: Fiscal Year 2008 Audits\n\n               Quality                      TIGTA                                    TIGTA\n           Assurance Audit             Documentation Issue                       Procedural Issue\n     1.   Correspondence           No peer review documentation.          No explanation for partially\n          Examination                                                     compliant issues \xe2\x80\x93 unable to track\n          Automated System                                                these checklist issues to the\n          Major Windows-Intel                                             reported noncompliance issues.\n          (Intel-based Windows\n          computer system)\n     2.   Automated                Peer review documentation not on       No explanation for overdue\n          Underreporter Program    electronic network repository;         noncompliance issues and not\n                                   provided upon request.                 escalated.\n\n\n     3.   Automated Insolvency     Peer review documentation not on       1) No explanation for overdue\n          System                   electronic network repository;         noncompliance issues and not\n                                   provided upon request.                 escalated.\n                                                                          2) No explanation for partially\n                                                                          compliant issues \xe2\x80\x93 unable to track\n                                                                          these checklist issues to the\n                                                                          reported noncompliance issues.\n     4.   Business Master File     1) No audit notification               1) No explanation for overdue\n          Research and Support     documentation.                         noncompliance issues and not\n          \xe2\x80\x93 Federal                2) No peer review documentation.       escalated.\n          Unemployment Tax         3) Opening presentation, audit         2) Incorrect dates on database.\n          Act                      evaluation checklist, corrective       3) No explanation for partially\n                                   action plan, and audit report not on   compliant issues \xe2\x80\x93 unable to track\n                                   electronic network repository;         these checklist issues to the\n                                   provided upon request.                 reported noncompliance issues.\n\n\n\n\n                                                                                                         Page 17\n\x0c                The Applications Development Function\xe2\x80\x99s Quality Assurance\n                  Program Office Can Make Its Processes More Effective\n\n\n\n\n           Quality                       TIGTA                                  TIGTA\n       Assurance Audit              Documentation Issue                     Procedural Issue\n 5.   Notice Print Processing   1) Audit notification and open      1) No explanation for overdue\n      \xe2\x80\x93 Individual Taxpayer     presentation not on electronic      noncompliance issues and not\n      Identification Number     network repository; provided upon   escalated.\n                                request.                            2) No explanation for\n                                2) No peer review documentation.    noncompliant issues \xe2\x80\x93 unable to\n                                3) Corrective action plan           track these checklist issues to the\n                                incomplete.                         reported noncompliance issues.\n 6.   Enterprise Return         1) No audit notification            None.\n      Retrieval                 documentation.\n                                2) No peer review documentation.\n 7.   Accounts Management       1) Audit notification not on        No explanation for overdue\n      Services Project          electronic network repository;      noncompliance issues and not\n      Release 1.3               provided upon request.              escalated.\n                                2) No peer review documentation.\n                                3) Corrective action plan\n                                incomplete.\n 8.   Web Integration,          1) No audit notification and open   No explanation for overdue\n      Collaboration and         presentation documentation.         noncompliance issues and not\n      Development               2) No peer review documentation.    escalated.\n                                3) No audit evaluation checklist.\n 9.   Web Integration,          1) No audit notification and open   No explanation for overdue\n      Collaboration and         presentation documentation.         noncompliance issues and not\n      Development               2) No peer review documentation.    escalated.\n                                3) No audit evaluation checklist.\n10.   Embedded Quality          1) Audit notification not on        1) Incorrect dates on database.\n                                electronic network repository;      2) Noncompliance issues closed\n                                provided upon request.              even though not resolved because\n                                2) No opening presentation          followup audit being conducted.\n                                documentation.\n                                3) No peer review documentation.\n                                4) No audit evaluation checklist.\n\n\n\n\n                                                                                                     Page 18\n\x0c                The Applications Development Function\xe2\x80\x99s Quality Assurance\n                  Program Office Can Make Its Processes More Effective\n\n\n\n\n           Quality                    TIGTA                                  TIGTA\n       Assurance Audit           Documentation Issue                     Procedural Issue\n11.   Security Audit and     1) Audit notification, audit         1) No explanation for partially\n      Analysis System        evaluation checklists, and           compliant and noncompliance\n                             corrective action plan not on        issues \xe2\x80\x93 unable to track these\n                             electronic network repository;       checklist issues to the reported\n                             provided upon request.               noncompliance issues.\n                             2) No peer review documentation.     2) Incorrect dates on database.\n                                                                  3) No explanation for overdue\n                                                                  noncompliance issues and not\n                                                                  escalated.\n                                                                  4) Inconsistent results reported\n                                                                  between checklist, audit report,\n                                                                  and/or Program Management\n                                                                  Office Director Report.\n12.   Totally Automated      1) Audit notification and audit      1) Incorrect dates on database.\n      Personnel System       evaluation checklists not on         2) No explanation for partially\n      Program Operations     electronic network repository;       compliant and noncompliance\n      and Maintenance        provided upon request.               issues \xe2\x80\x93 unable to track these\n                             2) No peer review documentation.     checklist issues to the reported\n                                                                  noncompliance issues.\n                                                                  3) No explanation for overdue\n                                                                  noncompliance issues and not\n                                                                  escalated.\n                                                                  4) Inconsistent results reported\n                                                                  between checklist, audit report,\n                                                                  and/or Program Management\n                                                                  Office Director Report.\n13.   Business Master File   Audit notification and peer review   1) No explanation for partially\n      Electronic Filing      documentation not on electronic      compliant and noncompliance\n                             network repository; provided upon    issues \xe2\x80\x93 unable to track these\n                             request.                             checklist issues to the reported\n                                                                  noncompliance issues.\n                                                                  2) Incorrect dates on database.\n\n\n\n\n                                                                                                     Page 19\n\x0c               The Applications Development Function\xe2\x80\x99s Quality Assurance\n                 Program Office Can Make Its Processes More Effective\n\n\n\n                             Table 2: Fiscal Year 2009 Audits\n\n          Quality                     TIGTA                                    TIGTA\n      Assurance Audit            Documentation Issue                       Procedural Issue\n1.   Return Inventory         Audit evaluation checklist with       No explanation for overdue\n     Classification System    comments and peer review              noncompliance issues and not\n                              documentation not on electronic       escalated.\n                              network repository; received\n                              upon request.\n2.   Examination Returns      1) Audit evaluation checklist with    No explanation for overdue\n     Control System           comments not on electronic            noncompliance issues and not\n                              network repository; received          escalated.\n                              upon request.\n                              2) No peer review\n                              documentation.\n3.   Issue Based              1) Opening presentation, audit        1) No explanation for partially\n     Management               evaluation checklist, audit report,   compliant and noncompliance issues\n     Information System       and corrective action plan not on     \xe2\x80\x93 unable to track these checklist\n                              electronic network repository;        issues to the reported noncompliance\n                              provided upon request.                issues.\n                              2) No peer review                     2) No explanation for overdue\n                              documentation.                        noncompliance issues and not\n                                                                    escalated.\n                                                                    3) Inconsistent results reported\n                                                                    between checklist, audit report,\n                                                                    and/or Program Management Office\n                                                                    Director Report.\n4.   Appeals Centralized      Peer review documentation and         No explanation for overdue\n     Database System          corrective action plan not on         noncompliance issues and not\n                              electronic network repository;        escalated.\n                              provided upon request.\n5.   Inventory Delivery       1) Opening presentation, audit        No explanation for overdue\n     System                   evaluation checklist, and audit       noncompliance issues and not\n                              report not on electronic network      escalated.\n                              repository; provided upon\n                              request.\n                              2) Corrective action plan\n                              incomplete.\n                              3) No peer review\n                              documentation.\n\n\n\n\n                                                                                                    Page 20\n\x0c                   The Applications Development Function\xe2\x80\x99s Quality Assurance\n                     Program Office Can Make Its Processes More Effective\n\n\n\n\n           Quality                     TIGTA                                   TIGTA\n       Assurance Audit            Documentation Issue                      Procedural Issue\n 6.   Notice Conversion        1) No audit notification            1) No explanation for noncompliant\n                               documentation.                      issues \xe2\x80\x93 unable to track these\n                               2) No peer review                   checklist issues to the reported\n                               documentation.                      noncompliance issues.\n                                                                   2) Incorrect dates on database.\n 7.   Individual Master File   1) No audit notification            1) No explanation for partially\n      Online                   documentation.                      compliant issues \xe2\x80\x93 unable to track\n                               2) No peer review                   these checklist issues to the reported\n                               documentation.                      noncompliance issues.\n                               3) Open presentation, audit         2) Program Review \xe2\x80\x93 No audit\n                               evaluation checklist, and           information included on the Quality\n                               corrective action plan not on       Assurance Program Office database.\n                               electronic network repository;      3) No explanation for overdue\n                               provided upon request.              noncompliance issues and not\n                                                                   escalated.\n 8.   e-Services               1) Audit notification not on        1) No explanation for partially\n                               electronic network repository;      compliant issues \xe2\x80\x93 unable to track\n                               provided upon request.              these checklist issues to the reported\n                               2) No peer review                   noncompliance issues.\n                               documentation.                      2) Program Review \xe2\x80\x93 No audit\n                                                                   information included on the Quality\n                                                                   Assurance Program Office database.\n 9.   Account Management       1) Audit notification not on        Program Review \xe2\x80\x93 No audit\n      Services Operations      electronic network repository;      information included on the Quality\n      and Maintenance          provided upon request.              Assurance Program Office database.\n      Sub-Projects: Field      2) No audit evaluation checklist.\n      Assistance Self Assist   3) No peer review\n      Model                    documentation.\n10.   Automated Labor and      1) No audit notification            1) No explanation for partially\n      Employee Relations       documentation.                      compliant and noncompliance issues\n      Tracking System          2) No peer review                   \xe2\x80\x93 unable to track these checklist\n                               documentation.                      issues to the reported noncompliance\n                                                                   issues.\n                                                                   2) No explanation for overdue\n                                                                   noncompliance issues and not\n                                                                   escalated.\n                                                                   3) Incorrect dates on database.\n11.   GovTrip                  1) No audit notification and open   No explanation for partially\n                               presentation documentation.         compliant issues \xe2\x80\x93 unable to track\n                               2) No peer review                   these checklist issues to the reported\n                               documentation.                      noncompliance issues.\n\n\n                                                                                                     Page 21\n\x0c                The Applications Development Function\xe2\x80\x99s Quality Assurance\n                  Program Office Can Make Its Processes More Effective\n\n\n\n\n           Quality                     TIGTA                               TIGTA\n       Assurance Audit            Documentation Issue                  Procedural Issue\n12.   Unpaid Assessments       1) Audit notification not on     1) No explanation for partially\n                               electronic network repository;   compliant and noncompliance issues\n                               provided upon request.           \xe2\x80\x93 unable to track these checklist\n                               2) No peer review                issues to the reported noncompliance\n                               documentation.                   issues.\n                                                                2) Noncompliance issues closed\n                                                                even though not resolved because a\n                                                                followup audit being conducted.\n13.   Custodial Detail         1) Audit notification not on     1) No explanation for partially\n      Database                 electronic network repository;   compliant and noncompliance issues\n                               provided upon request.           \xe2\x80\x93 unable to track these checklist\n                               2) No peer review                issues to the reported noncompliance\n                               documentation.                   issues.\n                                                                2) Noncompliance issues closed\n                                                                even though not resolved because\n                                                                followup audit being conducted.\n14.   Embedded Quality         No peer review documentation.    No explanation for partially\n                                                                compliant and noncompliance issues\n                                                                \xe2\x80\x93 unable to track these checklist\n                                                                issues to the reported noncompliance\n                                                                issues.\n15.   Individual Master File   1) No audit notification         1) No explanation for partially\n      Document Specific        documentation.                   compliant and noncompliance issues\n                               2) No peer review                \xe2\x80\x93 unable to track these checklist\n                               documentation.                   issues to the reported noncompliance\n                                                                issues.\n                                                                2) Incorrect dates on database.\n16.   Modernized e-File        1) No audit notification         No explanation for partially\n      Operations and           documentation.                   compliant and noncompliance issues\n      Maintenance              2) No peer review                \xe2\x80\x93 unable to track these checklist\n                               documentation.                   issues to the reported noncompliance\n                                                                issues.\n\n\n\n\n                                                                                                Page 22\n\x0c                 The Applications Development Function\xe2\x80\x99s Quality Assurance\n                   Program Office Can Make Its Processes More Effective\n\n\n\n                                                                                Appendix V\n\n                                 Glossary of Terms\n\n             Term                                          Definition\nBest Practice                    A technique or methodology that, through experience and\n                                 research, has proven to reliably lead to a desired result.\nCapability Maturity Model        A model or collection of \xe2\x80\x9cbest practices\xe2\x80\x9d that organizations\nIntegration - Development\xc2\xae       follow to dramatically improve the effectiveness, efficiency,\n                                 and quality of their product and service development work.\n                                 CMMI-Development is also supported by training courses and\n                                 appraisal methodologies to help organizations objectively\n                                 measure their improvement progress.\nEnterprise Life Cycle            A structured business systems development method that\n                                 requires the preparation of specific work products during\n                                 different phases of the development process.\nRelease                          A specific edition of software.\nSoftware Engineering Institute   A Federally funded research and development center whose\n                                 purpose is to help others make measured improvements in\n                                 their software engineering capabilities.\nTask Order                       An order for services planned against an established contract.\n\n\n\n\n                                                                                         Page 23\n\x0c    The Applications Development Function\xe2\x80\x99s Quality Assurance\n      Program Office Can Make Its Processes More Effective\n\n\n\n                                                   Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 24\n\x0cThe Applications Development Function\xe2\x80\x99s Quality Assurance\n  Program Office Can Make Its Processes More Effective\n\n\n\n\n                                                     Page 25\n\x0cThe Applications Development Function\xe2\x80\x99s Quality Assurance\n  Program Office Can Make Its Processes More Effective\n\n\n\n\n                                                     Page 26\n\x0c'